Solution From Outsiders for Microsoft’s Flaw

Microsoft has a VML (Vector Markup Language) flaw, which security firms have rated as critical. Microsoft has set October 10, 2006 as the deadline to patch the flaw. Meanwhile, a software engineering group called ZERT (Zero-day Emergence Response Team) has issued a temporary patch to prevent the trouble. E-Week has classified ZERT as a highly professional security group.

The temporary patch has raised doubts about the reliability of such patches for Windows and its effect on other future patches from Microsoft. ZERT believes the patch would fix the 'buffer overflow' but doesn't say anything about its exact purpose. A ZERT member commented that Microsoft needs to do something about its patching cycle. Members of ZERT team are working together to release a non-vendor patch for '0day' (Zero-day) vulnerability. The 'Zero-day' exploit imposes danger to the public or to the Internet Infrastructure, or even both. As per ZERT's website, it aims not to crack products but ward off security vulnerabilities by un-cracking them, before they can be exploited widely.

A Microsoft spokesman said that his company is aware of third party initiatives to patch vulnerabilities in Microsoft software. Microsoft appreciates such initiatives of vendors and independent security researchers to provide its customers with mitigations. However, according to the Microsoft, customers should also gather security updates and advise from the original software vendor. Microsoft reviews and tests its security updates to maintain high quality and assess them thoroughly to make them application compatible. But it cannot provide similar guarantee for independent third party security updates.

The patch to VML loophole is the first patch released by the group. Time will tell whether people welcome this initiative by ZERT or await Microsoft to give the good news.

"We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability.

Releasing patch to VML loophole is the first such attempt by ZERT. Whether people welcome this initiative by ZERT or look forward to Microsoft to come with the solution depend on time.

The spokesman said that they were just not eyeing that from their database, and so were not "Microsoft Security Response Alliance" partners. Naturally, that could change at any time. He added that Microsoft was working continually on an update to facilitate protection from this vulnerability irrespective of the number of people facing the attack.